Feature request: Support for Wireguard

[qdm12]

VPN providers support

Natively

• [x] Mullvad
• [x] Windscribe
• [x] IVPN
• [x] Surfshark since 5989f29035da1770d1d8ba290a0b3ed942b24ad8
• [x] NordVPN since 07459ee854f9609c1e9aa7d7161f9af04a59199b

Using provider custom

Supported since 8645d978ba84b68a012356a0e5d40a770d487803 using VPN_SERVICE_PROVIDER=custom

• [x] VPNUnlimited
• [x] Torguard
• [x] PureVPN
• [x] Cyberghost
• [x] VyprVPN
• [x] WeVPN

Requires API

This is not done, and requires API communication to get the Wireguard keys etc.

• [ ] PIA - need to make PIA API package since it also depends on the token etc.
• [ ] PureVPN

Wireguard not supported

• [x] FastestVPN not supported
• [x] HideMyAss
• [x] SlickVPN
• [x] VPNSecure.me
• [x] IPVanish not supported
• [x] Privado not supported
• [x] PrivateVPN not supported
• [x] Perfect Privacy not supported
• [x] ExpressVPN not supported

Extraction needed

This requires to extract the wireguard config from their proprietary app. Let's face it, this is a lot of work for little result, and I might never get to it. But here is the list still:

• [x] NordVPN, see this comment
• [ ] Cyberghost, see this comment
• [ ] VyprVPN, following supported devices using VyprVPN version 4.0 and higher and Wireguard is not available to configure with Manual setup

Extra todos

• [x] Adapt logger prefix to openvpn or wireguard depending on VPN chosen instead of vpn
• [ ] ~Read keys from files/secrets~ see #614
• [ ] Read custom Wireguard configuration file => see #610
• [ ] Rotate private keys
  • [ ] For Mullvad see https://github.com/qdm12/gluetun/issues/134#issuecomment-918039180

[qdm12]

@frepke Ah indeed, they might not support manual setup. I have all the code and their Wireguard servers and public keys ready in #587 but it might come to the same workaround as for NordVPN, which is to somehow use their proprietary app to extract the configuration 😢 I'll let you know when I come to it, thanks!

[frepke]

@frepke Ah indeed, they might not support manual setup. I have all the code and their Wireguard servers and public keys ready in #587 but it might come to the same workaround as for NordVPN, which is to somehow use their proprietary app to extract the configuration 😢 I'll let you know when I come to it, thanks!

No problem, I can help when you're ready 😊

[ksurl]

@ksurl

The Vpnunlimited wireguard config is just a conf file download so supporting the custom config would cover it

Actually whilst we're at it!...

Can you generate a few Wireguard configs for different servers and find out the following:

1. Is the `Interface`'s `Address` the same for all configurations? If yes, continue:

2. Is the `Interface`'s `PrivateKey` the same for all configurations? If yes, continue:

3. If you do have a `PresharedKey` given, is it the same for all configurations? If yes, continue:

4. Is the `Endpoint` port the same for all configurations?

If any is different, then it will have to be a custom configuration file as a bind mount. Otherwise we could find our way with env variables that you set once for your account (better I think).

I checked 10+ servers. They're all different private key, address, preshared key, public key, and endpoint. the only way to check if the public key, preshared key and endpoint are the same is if different accounts can compare.

here's an example for Toronto, CA

[Interface]
PrivateKey = X
ListenPort = 51820
Address = 10.100.X.Y/32
DNS = 10.100.0.1

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = BE1w***Q1QM=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

I left a few starting and end characters for the public key and preshared key if anyone wants to compare to theirs.

[jathek]

I checked 10+ servers. They're all different private key, address, preshared key, public key, and endpoint. the only way to check if the public key, preshared key and endpoint are the same is if different accounts can compare.

here's an example for Toronto, CA

[Interface]
PrivateKey = X
ListenPort = 51820
Address = 10.100.X.Y/32
DNS = 10.100.0.1

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = BE1w***Q1QM=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

I left a few starting and end characters for the public key and preshared key if anyone wants to compare to theirs.

Checked with mine:

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = RscT***N5qU=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

The PublicKey and Endpoint are the same but the PresharedKey is different. But when I generated a second conf for the same city again:

[Peer]
PublicKey = +riT***9LB0=
PresharedKey = 2qG3***3SUI=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.58:51820
PersistentKeepalive = 25

Different values for everything, including Endpoint. Must be multiple servers and each has its own values.

[romainguinot]

@romainguinot

Do you know if there is anything to consider regarding the private key rotation or it's not considered necessary

No idea. Does Mullvad rotate private keys, or are you trying to rotate private keys yourself? It could be an interesting feature such as i.e. have WIREGUARD_PRIVATE_KEY accept a comma separated list of keys and restart wireguard periodically to rotate them, although probably not a priority for now. I added it to the Extra todos section up there.

@qdm12 i have noticed that sometimes Mullvad rotates the key by registering a new key and retiring the previous one themselves through their mobile app or desktop client.

I was therefore wondering if there was a "best practice" to recycle keys after some duration, or if that isn't necessary / justified by the protocol. I didn't find any documentation regarding their API though.

In any case if that's necessary, one can generate a new key, update the env var manually every 6 months or so for example.

[qdm12]

Thanks @nearcatch and @ksurl for your help. Alright, it will have to be through a custom configuration file then. Maybe one day I can hack together something to imitate what their website API does (log in, then generate a config using parameters etc.), but that could also break at anytime they change it, so not that ideal either.

I've updated the order to Torguard+VPN Unlimited first (custom config file), then PIA (as it's quite the API gymnastics), then Surfshark+NordVPN (use proprietary app to extract config)

@romainguinot interesting. I'll check what API endpoint they use on their website to register a Wireguard public key, and we could use that to generate keys within gluetun and register them. I added that to the list of extra todos.

For Windscribe and IVPN users, is it possible that you register your own Wireguard public key somewhere, even on their website? Although again, that's also risky as it might break whenever they decide to change the API / website. EDIT: so we should keep it optional 😉

[pratikbin]

Looking forward to use WireGuard out of the box with nordVPN.

[romainguinot]

@romainguinot interesting. I'll check what API endpoint they use on their website to register a Wireguard public key, and we could use that to generate keys within gluetun and register them. I added that to the list of extra todos.

Thanks ! i found this script which could be helpful : https://github.com/DanielG/dxld-mullvad/blob/master/mullvad-wg-netns.sh Would be real nice if it could rotate the key with a cron expression or similar supplied as an env var.

I don't know if the other containers that are routed through gluetun's container network would need to be also restarted if the key is rotated. For now i've noticed that dependent containers need to be restarted if gluetun's container is restarted or if the connection is manullay taken down for a test, but everything has been working fine since i put it in place.

[stoli412]

@qdm12 Thanks so much for your work on Wireguard! I'm using it with Mullvad and it's working great. I just had a question: is IPv6 tunnelling supported? Can I add the IPv6 subnet from my Mullvad config file to the WIREGUARD_ADDRESS variable in docker-compose?

[qdm12]

@romainguinot Nice, I'll have a look later, thanks for the research!

would need to be also restarted if the key is rotated

No, I can just restart Wireguard from within gluetun without a container restart to rotate keys. You can already try restarting wireguard with the http control server (well it's the /v1/openvpn route but oh well, we need a v4.x.x some time)...

@stoli412 Thanks! For now, it has ::/0 in the Wireguard allowed IPs but it only sets a route for IPv4. For now AFAIK, the firewall blocks ipv6 so it doesn't leak. As a consequence, I'm not sure if it tunnels IPv6 through Wireguard or just blocks it. If you host supports IPv6 (mine doesn't shame on me!), let me know if it does or doesn't tunnel it (with some online tests I guess?). If it doesn't / is blocked by the firewall, please create another issue and I'll address it. And for WIREGUARD_ADDRESS, well have a Go and see 😄 I haven't tried myself!

[Astroamadeus]

The home page says

ANNOUNCEMENT: Wireguard is now supported for all providers supporting it!

Does this mean that I can now use the .conf file provided by TorGuard to create a WireGuard VPN tunnel ?

Right now I am getting the following error: 2021/08/28 19:33:52 ERROR cannot read VPN settings: cannot read provider settings: environment variable VPNSP: value is not within the accepted values: torguard: it can only be one of: mullvad, windscribe, ivpn

[ksurl]

The home page says

ANNOUNCEMENT: Wireguard is now supported for all providers supporting it!

Does this mean that I can now use the .conf file provided by TorGuard to create a WireGuard VPN tunnel ?

Right now I am getting the following error: 2021/08/28 19:33:52 ERROR cannot read VPN settings: cannot read provider settings: environment variable VPNSP: value is not within the accepted values: torguard: it can only be one of: mullvad, windscribe, ivpn

where are you seeing that? the readme says "Supports Wireguard for Mullvad, Ivpn and Windscribe (more in progress, see #134)"

edit: I see it now near the top. good point, that should be removed or updated to reflect the current status. maybe link to the progress at the top of this thread.

[harrytheeskimo]

Hey @qdm12 thanks for the great work on this!!

I've just tested with Mullvad and it seems that a commit between the :wireguard branch last week and the :latest (possibly the one earlier today) seems to have broken the WIREGUARD_ADDRESS parameter parsing, in my case anyway.

When using :wireguard I'm up and running fine, but when flipping to :latest (docker cache flushed) I'm receiving the following error:

ERROR vpn: failed creating Wireguard: interface address is missing

I've tried using some CSV based on the description of the latest commit (i.e. multiple values of the same wireguard CIDR address, just in case that worked) but doesn't seem to change things. Tested from both Docker command line and docker-compose with same results.

Most previous tests used the following commands:

docker run -it --rm --name gluetun-test --cap-add=NET_ADMIN -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="my priv key from Mullvad config file" -e WIREGUARD_ADDRESS="10.64.x.y/32" qmcgaw/gluetun:latest

docker run -it --rm --name gluetun-test --cap-add=NET_ADMIN -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="my priv key from Mullvad config file" -e WIREGUARD_ADDRESS="10.64.x.y/32,10.64.x.y/32,10.64.x.y/32" qmcgaw/gluetun:latest

But when running the above using :wireguard it works just fine.

[qdm12]

@harrytheeskimo thanks for reporting the issue! It's fixed now (still building) with https://github.com/qdm12/gluetun/commit/61afdce788c8eb8896bb15a3276808ac819055f5

[harrytheeskimo]

@harrytheeskimo thanks for reporting the issue! It's fixed now (still building) with 61afdce

That did it - all working now, thanks!

[romainguinot]

I rebased to the "latest" branch a few days ago and all still works fine with wireguard support. Thanks again for the work !

[jathek]

I think support needs to be added to the http api for wireguard? I tried toggling the vpn using the api and it appeared to toggle off fine but got {"outcome":"crashed"} when I tried turning it back on.

[VMax2]

@qdm12 Hi, what's the Wireguard support situation for CyberGhost VPN?

[qdm12]

I tried toggling the vpn using the api and it appeared to toggle off fine

That's a bug, I'll check. EDIT: definitely a bug, the tun device doesn't seem to be created on the 2nd run.

Also yes the api should be changed somehow since openvpn and wireguard run in the same 'loop', so that http route should be renamed to vpn instead of openvpn

@VMax2 can you ask cyberghost support if they support manual wireguard or if you can download wireguard configs? If you can, can you attach some wireguard config files as a zip here please? Don't forget to remove the Private Key and Preshared key.

[qdm12]

@nearcatch It should be fixed by 82ac568ee349992ae4c592ee5d24908a3780be75 in the :latest image. It was the Wireguard link wg0 not being shutdown & removed properly, so it would prevent a second one from taking its place. Thanks for letting me know.

EDIT: Everyone if you find a Wireguard issue in the future, please create an issue instead of commenting here as this one is getting quite long already 😄

[VMax2]

@qdm12 of course i will but i wouldn't be so confident about they supply a manual method, i searched inside their site and till now i only found that the sole way using Wireguard protocol (it's the same for Linux and Windows) it's by using their app... i will update you here as soon as they will reply me

[VMax2]

@qdm12 As i was supposing...nothing to do for now, they told that they are planning to give a manual method in a next future but at the moment the only way to use Wireguard protocol is by their app... :(

[Akirainblack]

@qdm12 any news on Torguard support? It says use custom config but I can't find any information on how to use a custom config. Thank you for all your work on this. I'm really looking forward to being able to use wireguard in the future. If you need beta testing I'm more than happy to do so.

[Jonathan34]

@Akirainblack Custom config is not yet supported. I understood same as you when I first read this. You need a Torguard custom config and gluetun needs to support it. I ended up using the linuxserver.io wireguard docker image and route traffic from other containers to it. Works very well and easy setup.

[Akirainblack]

@Jonathan34 Thank you. Yes, sadly that doesn't work on my Synology as a client (I have it running as a server so I can connect back in when I'm away from home) and they refuse to support a Synology device using Wireguard. I've been lead to believe this container does work.

[qdm12]

I'm adding support for wireguard config files now, it should work on older kernels without wireguard too. I'll comment back with an image tag to try.

[Akirainblack]

@qdm12 wonderful.. I would love to say I'll wait patiently.. BUT I'd be lying. ;)

[qdm12]

@Akirainblack 😅

Torguard and VPN Unlimited

EDIT: See https://github.com/qdm12/gluetun/issues/134#issuecomment-918521952

qmcgaw/gluetun:wireguard-test adds environment variables for Torguard and VPN Unlimited only WIREGUARD_ENDPOINT_IP and WIREGUARD_PUBLIC_KEY which should allow you to copy paste values from your config file as env variables, together with existing variables.

docker pull qmcgaw/gluetun:wireguard-test
docker run -it --rm --cap-add=NET_ADMIN -e VPNSP=torguard -e VPN_TYPE=wireguard -e WIREGUARD_ENDPOINT_IP=1.2.3.4 -e WIREGUARD_PORT=51820 -e WIREGUARD_PUBLIC_KEY=blabla -e WIREGUARD_ADDRESS="5.6.7.8/32" -e WIREGUARD_PRIVATE_KEY=blabla -e WIREGUARD_PRESHARED_KEY=blabla qmcgaw/gluetun

Substitude torguard with vpn unlimited if you need to, as well as the other env variables values.

⚠️ This will not make it to the master branch. Instead I'm solving #611 which will allow the exact same usage but using VPNSP=custom so it is VPN provider independent. Feel free to subscribe to it to know when it's in the master branch (latest image).

Cyberghost, NordVPN, Surfshark and WeVPN

EDIT: See https://github.com/qdm12/gluetun/issues/134#issuecomment-918521952

• Subscribe and comment on #611 to reduce noise here.
• I'll add a VPNSP=custom value for both OpenVPN and Wireguard to use custom configurations (from env first, from files later with #610)
• I'll leave the responsibility to extract the Wireguard configuration files from their app to the users for now

Config files

Subscribe to #610 for support of Wireguard configuration files, with a bunch of side features.

PIA

Subscribe to and comment on #612 which sums up everything everyone said about it for now. PIA is next on my list so that should be resolved soon.

[Akirainblack]

Sadly doesn't appear to be working for me at the moment:

2021/09/12 10:10:36 INFO vpn: Wireguard is up,
2021/09/12 10:10:45 ERROR ip getter: Get "https://ipinfo.io/ip": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp <externalIP>:54798->1.1.1.1:53: i/o timeout,
2021/09/12 10:10:25 INFO vpn: Wireguard is up,
2021/09/12 10:10:36 INFO vpn: starting,
2021/09/12 10:10:25 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/12 10:10:35 WARN dns over tls: cannot update files,
2021/09/12 10:10:35 INFO dns over tls: attempting restart in 10s,
2021/09/12 10:10:36 INFO healthcheck: program has been unhealthy for 6s: restarting OpenVPN,
2021/09/12 10:10:36 INFO vpn: stopping,
2021/09/12 10:10:36 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled,
2021/09/12 10:10:36 INFO firewall: setting VPN connection through firewall...,
2021/09/12 10:10:45 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/12 10:10:45 INFO ip getter: retrying in 5s,
2021/09/12 10:10:47 INFO healthcheck: program has been unhealthy for 11s: restarting OpenVPN,
2021/09/12 10:10:47 INFO vpn: stopping,
2021/09/12 10:10:47 ERROR vpn: Failed to read packet from TUN device: read /dev/net/tun: not pollable,
2021/09/12 10:10:47 INFO vpn: starting

[qdm12]

@Akirainblack can you pull the :wireguard-test image and try again?

Referring to https://github.com/golang/go/issues/38618, I added 19bf62c21f460fa9dec8f4949c80e51036fd2435 which might solve your TUN device issue.

[TheNexter]

(Edit by qdm12) See #617

[qdm12]

@TheNexter that's a different issue, I created https://github.com/qdm12/gluetun/issues/617 for you with an additional question, please continue the discussion here, thanks! I'll remove your comment above.

[Akirainblack]

Wireguard comes up but still fails to download updates, version info or check IP.

[Sn0wCrack]

@qdm12 I noticed in the main post on the issue you were looking for a Mullvad API, unsure if you're still looking but there's something mention in their docs about this:

Getting an IP to use with Mullvad

While connected to the router using ssh:

First install curl: opkg update && opkg install curl

curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY

The IP address to use with Mullvad will be returned.

The endpoint https://api.mullvad.net/wg/ them returns a comma-separated list of IP ranges that are applicable to the provided public key. On my end, it returned an IPv4 range (/32) and an IPv6 range (/128)

There's also an API endpoint for pushing wireguard keys I found in the source code of the Mullvad application foundation code base here: https://github.com/mullvad/mullvadvpn-app/blob/584a4f31cb64a4b02f81a2bade1fa99eeb4d98ca/mullvad-rpc/src/lib.rs#L394 (there's also some in the iOS swift code as well that implement this same API)

It looks like it hits an endpoint at: https://api.mullvad.net/v1/wireguard-keys (or at least I believe) with a POST request with a format that might be:

{
    "pubkey": "public_key_content"
}

There's also a replace, get and remove endpoint, if we're looking to rotate a key, maybe the https://api.mullvad.net/v1/replace-wireguard-key might be a good one to use.

It looks like it takes in a request body similar to this:

{
    "old": "public_key_to_remove"
    "new": "public_key_to_add"
}

Pretty much all of this seems to be encapsulated under the mullvad-rpc crate they have in the main application repository, but it doesn't seem to contain any documentation I can find on how to use this API, but it looks like an auth token is set on the Authorization header as "Authorization: Token xxxxx", but I can't seem to get any of the endpoints to respond correctly, it looks like it might require public key pinning to access without it 404ing.

Alternatively, there's the website API which is accessible under: https://api.mullvad.net/www

You can create a session using: GET https://api.mullvad.net/www/accounts/{account_number}

In this the response returns an auth_token variable that you set on your Authorization header when performing other actions, it all looks to return information about your configured wireguard keys and their associated IP addresses.

It also looks like there's a "https://api.mullvad.net/www/wg-pubkeys/add/" POST endpoint you can send a request like the following:

{
    "pubkey": "public_key"
}

And it should return a response with the ipv4 and ipv6 range associated with that public key.

Then there's "https://api.mullvad.net/www/wg-pubkeys/revoke/" POST endpoint which can remove a public key, it has the same body as the above.

All of these seem to work fine when querying them using cURL, so they should work fine programmatically, albeit could be unstable since they're undocumented and not open-sourced.

It might also be worth reaching out to Mullvad and seeing if they can't provide some documentation for their REST API they use in their app.

[qdm12]

@Akirainblack can you please create another issue with logs when running with -e LOG_LEVEL=debug -e HEALTH_VPN_DURATION_INITIAL=100s please?

@Sn0wCrack that's awesome work 💯! I linked it in the main issue body. I will set it up in Gluetun using their www api such that it's optional to generate keys and communicate with their API to rotate keys. That way if it's unstable / they break the API on their end, it's still fine and you can use a private key you set manually as we do now.

[Akirainblack]

Pulled latest wireguard-test and added those 2 env variables:

2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - UAPI: Adding allowedip,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Routine: sequential receiver - started,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Routine: sequential sender - started,
2021/09/13 19:47:45 DEBUG wireguard: Interface up requested,
2021/09/13 19:47:45 INFO wireguard: Wireguard is up,
2021/09/13 19:47:45 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/13 19:47:50 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:47:55 INFO dns over tls: attempting restart in 10s,
2021/09/13 19:47:55 WARN dns over tls: cannot update files,
2021/09/13 19:47:55 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:48:05 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/13 19:48:00 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:48:05 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": dial tcp: lookup api.github.com on 1.1.1.1:53: read udp 10.13.64.61:50124->1.1.1.1:53: i/o timeout,
2021/09/13 19:48:05 ERROR ip getter: Get "https://ipinfo.io/ip": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp 10.13.64.61:46584->1.1.1.1:53: i/o timeout,
2021/09/13 19:48:05 INFO ip getter: retrying in 5s,
2021/09/13 19:48:06 DEBUG wireguard: peer(XYkH…krGs) - Handshake did not complete after 5 seconds, retrying (try 2),
2021/09/13 19:48:06 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation

[qdm12]

@Akirainblack please create another issue as I mentioned above to avoid spamming here (your comment is hidden as off topic).

Torguard, VPN Unlimited and WeVPN users, https://github.com/qdm12/gluetun/commit/8645d978ba84b68a012356a0e5d40a770d487803 adds support to run with:

docker run -it --rm --cap-add=NET_ADMIN -e VPNSP=custom -e VPN_TYPE=wireguard \
-e WIREGUARD_ENDPOINT_IP=86.106.143.67 -e WIREGUARD_PORT=51820 \
-e WIREGUARD_PUBLIC_KEY="5FXy0/tMXj/TYKVj9PHJ42lCpbWP4qLAOpLZa6FnsRw="  \
-e WIREGUARD_ADDRESS="11.48.216.37/32" \
-e WIREGUARD_PRIVATE_KEY="OFf8G73HKurisHXAUmrXxU5C0VD50EMn3N9KAbut/1k=" \
qmcgaw/gluetun

I tested it with Mullvad and it works. If yours doesn't work, it's another problem so please create another issue NOT HERE.

NordVPN, Cyberghost and Surfshark for now you'll have to extract the Wireguard config yourself using their application, if you want to plug it in Gluetun, and it should work (assuming the protocol is still the actual Wireguard protocol). I'll eventually develop some Docker images to extract it more easily later down the line.

[Jonathan34]

@qdm12 I hope the ip, private key and public key above have been deleted or are fake, otherwise, I suggest you generate a new ones.

[qdm12]

They are not fake, but generated just for the comment 🤓 Except the public key because it's public hehe

[qdm12]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

[qdm12]

Ran some speedtests (finally duh) to compare Wireguard and OpenVPN: https://github.com/qdm12/gluetun/wiki/Wireguard#performance

TLDR; Wireguard doesn't really increase bandwidth performance 😢

Does anyone uses a Raspberry Pi (or other Linux low power device) and could do a speedtest with that command mentioned in the Wiki to a nearby server? I need Docker on my phone, now that I'm thinking about it 😄

[bozzfozz]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

it's been working all the time

[bozzfozz]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

it's been working all the time

it works for me on both systems (synology / ubuntu)

[ksurl]

I tested on vpnunliimited and this is what I needed to use in docker-compose file to get it to start, but it keeps failing to get public ip so it bootloops

environment:
  - VPNSP=vpn unlimited
  - VPN_TYPE=wireguard
  - WIREGUARD_ENDPOINT_IP=$ENDPOINT_IP
  - WIREGUARD_PORT=51820
  - "WIREGUARD_PUBLIC_KEY=$PUBLIC_KEY"
  - WIREGUARD_ADDRESS=$IP
  - "WIREGUARD_PRESHARED_KEY=$PRESHARED_KEY"
  - "WIREGUARD_PRIVATE_KEY=$PRIVATE_KEY"

log

2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1, 2021/09/22 19:22:28 INFO routing: local ethernet link found: eth0, 2021/09/22 19:22:28 INFO routing: local ipnet found: 172.17.0.0/16, 2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1, 2021/09/22 19:22:28 INFO routing: adding route for 0.0.0.0/0, 2021/09/22 19:22:28 INFO firewall: firewall disabled, only updating allowed subnets internal list, 2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1, 2021/09/22 19:22:28 INFO firewall: enabling..., 2021/09/22 19:22:28 INFO firewall: enabled successfully, 2021/09/22 19:22:28 INFO dns over tls: using plaintext DNS at address 1.1.1.1, 2021/09/22 19:22:28 INFO firewall: setting VPN connection through firewall..., 2021/09/22 19:22:28 INFO http server: listening on :8000, 2021/09/22 19:22:28 INFO healthcheck: listening on 127.0.0.1:9999, 2021/09/22 19:22:28 INFO wireguard: Wireguard is up, 2021/09/22 19:22:28 INFO dns over tls: downloading DNS over TLS cryptographic files, 2021/09/22 19:22:43 WARN dns over tls: cannot update files, 2021/09/22 19:22:43 INFO dns over tls: attempting restart in 10s, 2021/09/22 19:22:49 INFO healthcheck: program has been unhealthy for 6s: restarting VPN, 2021/09/22 19:22:49 INFO vpn: stopping, 2021/09/22 19:22:49 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled, 2021/09/22 19:22:49 INFO vpn: starting, 2021/09/22 19:22:49 INFO firewall: setting VPN connection through firewall..., 2021/09/22 19:22:49 INFO wireguard: Wireguard is up, 2021/09/22 19:22:53 INFO dns over tls: downloading DNS over TLS cryptographic files, 2021/09/22 19:22:58 ERROR ip getter: Get "https://api.ipify.org": context deadline exceeded (Client.Timeout exceeded while awaiting headers), 2021/09/22 19:22:58 INFO ip getter: retrying in 5s, 2021/09/22 19:23:08 WARN dns over tls: cannot update files, 2021/09/22 19:23:08 INFO dns over tls: attempting restart in 20s, 2021/09/22 19:23:09 INFO healthcheck: program has been unhealthy for 11s: restarting VPN, 2021/09/22 19:23:09 INFO vpn: stopping, 2021/09/22 19:23:09 INFO vpn: starting, ...

[cardimajs]

Hi, i'm using surfshark, they not provide manual config, but after sniffing their app i can get it working manualy.

1. Login to Surfshark API
   • url: https://api.surfshark.com/v1/auth/login
   • method: POST
   • body: {username: "your@email.com", password: "yourPassword"}
   • response: {token: "eyJ0e...", renewToken: "eyJ..."}
2. Send your public key to the Surfshark API
   • url: https://api.surfshark.com/v1/account/users/public-keys
   • method: POST
   • body: {pubKey: "your public key" }
   • headers: {Authorization: "Bearer RESPONSE TOKEN OF LOGIN"}

3. Use config file

   [Interface]
   Address=10.14.0.2/8
   PrivateKey=GAJb1kd/y6vPJsM11yKBI/NPvsUzKaST4+G2xHUWaFh=
   ListenPort=51820
   
   [Peer]
   PublicKey=IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A=
   Endpoint=br-sao.prod.surfshark.com:51820
   AllowedIPs=0.0.0.0/0
   PersistentKeepAlive=25

You can get your server public key from their API, each server has a different public key

{
    "country": "Brazil",
    "countryCode": "BR",
    "region": "The Americas",
    "regionCode": "AM",
    "load": 27,
    "id": "e1ff80e5-11b8-41ec-9fc8-82205776114c",
    "coordinates": { "longitude": -46.616667, "latitude": -23.533333 },
    "info": [
      {
        "id": "cfe8477c-36af-4049-a148-2e0f2a7874bf",
        "entry": { "value": "U2FsdGVkX19pQ594n1+SQVF66uDvJFnU7y/4+4t3x0k=" }
      }
    ],
    "type": "generic",
    "location": "Sao Paulo",
    "connectionName": "br-sao.prod.surfshark.com",
    "pubKey": "IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A=",
    "tags": ["physical"],
    "transitCluster": null,
    "flagUrl": "https://cdn.ss-cdn.com/assets/flags/BR.png"
},

EDIT by qdm12: Formatting

[frepke]

Hello @cardimajs,

Can you point me in the right direction for 2. , 1.'s token I already retrieved

EDIT by qdm12: Formatting

[qdm12]

@ksurl Please create a discussion for this, I'll hide your comment for now (and unhide if it's actually a bug). It might be a configuration problem.

@cardimajs that's awesome 🎉 I'll get back to it (on #587)! So I guess it's also fine to generate a Wireguard keypair on each connection right? Or would you see a point in persisting the token and refresh token to keep the same keypair across container restarts (harder to implement for me)?

You can get your server public key from their API

@frepke indeed, their API has their public key. You can check on my Surfshark wireguard branch the servers.json (and ctrl+f to find surfshark).

[frepke]

And where to find the private key?

[qdm12]

@pundoo You do need to generate a Wireguard keypair to register the public key of that keypair you generated through their API right? That's how I understood it 🤔 And what does expire in 7 days? The token or the registration of your public key?

[qdm12]

I have a few questions on top for @pundoo and/or @cardimajs

1. Where do you get your [Interface]'s Address value (10.14.0.2/8 in this case)?
2. Where do you get your [Interface]'s PrivateKey value (GAJb1kd/y6vPJsM11yKBI/NPvsUzKaST4+G2xHUWaFh= in this case)? This is clearly not the same as the server public key IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A= 🤔 And if they actually do use the public key of their server as the client private key, this is a major security problem.

Maybe commenting with an example response (only keeping the first 2-3 and last 2-3 chars of keys if possible) from https://api.surfshark.com/v1/account/users/public-keys would help.